Network Attackers: Where In The World

Network Attackers: Where In The World

Let’s have a look at who’s been trying to break into SSH service on my development server recently, and where in the world they’re attacking from. Since I implemented fail2ban to trap out these attempted dictionary attacks, it’s logged the network addresses of all the culprits. Here’s who got caught in recent activity:

That’s 28 attacks over the course of 48 days, originating from 26 different hosts (two were repeat offenders).

Digging through the regional Whois registries, we can discover the geographic locations of the network segments on which these remote IP addresses were assigned, and the names of the network operators:

The named registrants are network owners and operators, usually local ISPs, who of course represent non-complicit intermediaries and not the attackers themselves. But these records do accurately reflect the geographic locations of the remote hosts from which the intrusion attempts originated. The listed country, at a minimum, is very reliable; IP geolocation by country with Whois should be over 95% accurate.

There’s no mistaking that these attacks tend to originate from China and the former Soviet bloc. These areas are home to bustlingcybercrimeindustries. Attackers seek to expose financial accounts presumed stored on servers, or to commandeer staging grounds for use in the infiltration of other lucrative targets.

This is just a tiny sample of all attack activity, being just one sensor on one port, on one host, on one network segment of the great wide internet that hackers direct their tools against. Attacks of this type and others, many of which are much more commonplace than SSH scans, originate from this same geographical profile.

How are you defending your network and data from these threats? Do you know about techniques for reducing your exposure? Let’s talk.